Simple Password Question.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Simple Password Question.

Post by tecktalkcm0391 »

Would it be better to use the encrypt feature of PHP or the md5 feature for the password to logon to my site?
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Neither.

Search this forum for salt, sha1 and password. BTW/ None of the above are encrypted :)
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

is this encrypted and secure:

Code: Select all

<?php
   $key = "this is a secret key";
   $input = "Let us meet at 9 o'clock at the secret place.";

   $td = mcrypt_module_open('tripledes', '', 'ecb', '');
   $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
   mcrypt_generic_init($td, $key, $iv);
   $encrypted_data = mcrypt_generic($td, $input);
   mcrypt_generic_deinit($td);
   mcrypt_module_close($td);
?>
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

It is encrypted and secure, for that context: making sure a message can only be read by a recipient. That's not the kind of security you are aiming for with passwords.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

well what do you suggest. I was thinking about doing the same thing with the post[ed code] but wereever the password is needed it encrypts or decrypts using the same key
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

or would this be better:

Code: Select all

<?php
$res = gnupg_init();
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC");
$enc = gnupg_encrypt($res, "just a test");
echo $enc;
?>
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Ambush Commander wrote: That's not the kind of security you are aiming for with passwords.
:wink:
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

Then what would be the right security. Can you tell me a little more indeepth like, do this one because....
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

hawleyjr wrote:Neither.

Search this forum for salt, sha1 and password. BTW/ None of the above are encrypted :)
Lots of repeating going on here :roll:
Last edited by hawleyjr on Thu Jun 01, 2006 11:15 pm, edited 1 time in total.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

well sorry, i searched and didn';t find anything that helped
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

ok cool, could i use that along with something like:

Code: Select all

<?php 
$res = gnupg_init(); 
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC"); 
$enc = gnupg_encrypt($res, "just a test"); 
echo $enc; 
?>
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

Can anyone tell me if that is good?
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

I think what everyone's trying to say, forget about 'encrypting' the password, it's unnecessary. Use a HASH instead, like suggested with sha1 (although sha1 has recently been found to be not as 'secure' as thought, it's still fine for the intended purpose) with a SALT, and store the value in the database. When logging the user back in, compare hashed password value with the SALT against the HASH stored in the database. That's it.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

The reason i am aiming for encryption is that I want the users to beable to retreive their password, and get it sent to them.
Post Reply